cppki

package
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 21, 2023 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// CertVersion is the x509 certificate version number 3.
	CertVersion = 3
)

Variables

View Source 
var (
	OIDExtKeyUsageSensitive = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 55324, 1, 3, 1}
	OIDExtKeyUsageRegular   = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 55324, 1, 3, 2}
	OIDExtKeyUsageRoot      = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 55324, 1, 3, 3}

	OIDExtKeyUsageServerAuth   = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 1}
	OIDExtKeyUsageClientAuth   = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 2}
	OIDExtKeyUsageTimeStamping = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 8}
)

ExtKeyUsage oids.

View Source 
var (
	OIDExtensionSubjectKeyID     = asn1.ObjectIdentifier{2, 5, 29, 14}
	OIDExtensionKeyUsage         = asn1.ObjectIdentifier{2, 5, 29, 15}
	OIDExtensionBasicConstraints = asn1.ObjectIdentifier{2, 5, 29, 19}
	OIDExtensionAuthorityKeyID   = asn1.ObjectIdentifier{2, 5, 29, 35}
	OIDExtensionExtendedKeyUsage = asn1.ObjectIdentifier{2, 5, 29, 37}
)

x.509v3 extension oids.

View Source 
var (
	// ErrWildcardISD indicates a wildcard ISD.
	ErrWildcardISD = serrors.New("wildcard ISD")
	// ErrReservedNumber indicates that the number is reserved.
	ErrReservedNumber = serrors.New("reserved number")
	// ErrSerialBeforeBase indicates that the serial number is smaller than the
	// base number.
	ErrSerialBeforeBase = serrors.New("serial before base")
	// ErrInvalidTRCIDString indicates that provided string in not valid TRC ID formatted string.
	ErrInvalidTRCIDString = serrors.New("string is not valid TRC ID")
)
View Source 
var (
	// ErrInvalidTRCVersion indicates an invalid TRC version.
	ErrInvalidTRCVersion = serrors.New("invalid TRC version")
	// ErrInvalidID indicates an invalid TRC ID.
	ErrInvalidID = serrors.New("invalid ID")
	// ErrGracePeriodNonZero indicates the grace period is non-zero in a
	// non-base TRC.
	ErrGracePeriodNonZero = serrors.New("grace period non-zero")
	// ErrVotesOnBaseTRC indicates that there are votes on a base TRC.
	ErrVotesOnBaseTRC = serrors.New("non-empty votes on base TRC")
	// ErrInvalidQuorumSize indicates the quorum size is outside of the [1,255]
	// range.
	ErrInvalidQuorumSize = serrors.New("invalid quorum size")
	// ErrNoASes indicates the ASes sequence is empty in the TRC.
	ErrNoASes = serrors.New("no ASes")
	// ErrWildcardAS indicates a wildcard AS.
	ErrWildcardAS = serrors.New("wildcard AS")
	// ErrDuplicateAS indicates an AS is duplicated in the sequence.
	ErrDuplicateAS = serrors.New("duplicate AS")
	// ErrUnclassifiedCertificate indicates a certificate could not be
	// classified as neither sensitive voting, regular voting nor root.
	ErrUnclassifiedCertificate = serrors.New("unclassified certificate")
	// ErrNotEnoughVoters indicates that the number of voters is smaller than
	// the voting quorum.
	ErrNotEnoughVoters = serrors.New("not enough voters")
	// ErrCertForOtherISD indicates a certificate that is for another ISD.
	ErrCertForOtherISD = serrors.New("certificate for other ISD")
	// ErrDuplicate indicates a duplicate certificate in the TRC.
	ErrDuplicate = serrors.New("duplicate certificate")
	// ErrTRCValidityNotCovered indicates that the TRC validity period is not
	// covered by a certificate.
	ErrTRCValidityNotCovered = serrors.New("TRC validity not covered by certificate")
)
View Source 
var (
	// ErrInvalidCertType indicates an invalid certificate type.
	ErrInvalidCertType = serrors.New("invalid certificate type")
)
View Source 
var ErrInvalidValidityPeriod = serrors.New("NotAfter before NotBefore")

ErrInvalidValidityPeriod indicates an invalid validity period.

View Source 
var (
	OIDNameIA = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 55324, 1, 2, 1}
)

DistinguishedName oids.

View Source 
var (
	ValidSCIONSignatureAlgs = []x509.SignatureAlgorithm{
		x509.ECDSAWithSHA256,
		x509.ECDSAWithSHA384,
		x509.ECDSAWithSHA512,
	}
)

Valid SCION signatures

Functions

func ExtractIA 

func ExtractIA(dn pkix.Name) (addr.IA, error)

ExtractIA extracts the ISD-AS from the distinguished name. If the ISD-AS number is not present in the distinguished name, an error is returned.

func ParsePEMCerts 

func ParsePEMCerts(raw []byte) ([]*x509.Certificate, error)

ParsePEMCerts parses the PEM encoded certificate blocks in raw.

func ReadPEMCerts 

func ReadPEMCerts(file string) ([]*x509.Certificate, error)

ReadPEMCerts reads the PEM file and parses the certificate blocks in it. Only PEM files with only CERTIFICATE blocks are allowed.

func SubjectKeyID 

func SubjectKeyID(pub crypto.PublicKey) ([]byte, error)

SubjectKeyID computes a subject key identifier for a given public key. The computed ID is the SHA-1 hash of the marshaled public key according to https://tools.ietf.org/html/rfc5280#section-4.2.1.2 (1)

func ValidateChain 

func ValidateChain(certs []*x509.Certificate) error

ValidateChain validates that a slice of SCION certificates can be a valid chain.

func VerifyChain 

func VerifyChain(certs []*x509.Certificate, opts VerifyOptions) error

VerifyChain attempts to verify the certificate chain against every TRC included in opts. Success (nil error) is returned if at least one verification succeeds. If all verifications fail, an error containing the details of why each verification failed is returned.

The certificate chain is verified by building a trust root based on the Root Certificates in each TRC, and searching for a valid verification path.

Types

type CAPolicy 

type CAPolicy struct {
	// Validity defines the validity period of the create AS certificate.
	Validity time.Duration
	// Certificate is the CA certificate.
	Certificate *x509.Certificate
	// Signer holds the private key authenticated by the CA certificate.
	Signer crypto.Signer
	// CurrentTime indicates the signing time. If zero, the current time is
	// used.
	CurrentTime time.Time

	// ForceECDSAWithSHA512 forces the CA policy to use ECDSAWithSHA512 as the
	// signature algorithm for signing the issued certificate. This field
	// forces the old behavior extending the acceptable signature algorithms
	// in https://github.com/scionproto/scion/commit/df8565dc97cb6ef7c7925c26f23f3e9954ab2a97.
	//
	// Experimental: This field is experimental and will be subject to change.
	ForceECDSAWithSHA512 bool
}

CAPolicy defines how AS certificates are generated.

func (CAPolicy) CreateChain 

func (ca CAPolicy) CreateChain(csr *x509.CertificateRequest) ([]*x509.Certificate, error)

CreateChain takes the certificate request and creates a certificate chain. The request is assumed to be validated by the caller. The returned chain captures a reference to the CA certificate.

func (CAPolicy) Equal 

func (ca CAPolicy) Equal(o CAPolicy) bool

type CertType 

type CertType int

CertType describes the type of the SCION certificate. 

const (
	Invalid CertType = iota
	Sensitive
	Regular
	Root
	CA
	AS
)

Valid SCION certificate types

func ValidateCert 

func ValidateCert(c *x509.Certificate) (CertType, error)

ValidateCert validates the SCION certificate, as part of this it will validate that it is of valid type.

func (CertType) String 

func (ct CertType) String() string

type SignedTRC 

type SignedTRC struct {
	Raw         []byte
	TRC         TRC
	SignerInfos []protocol.SignerInfo
}

SignedTRC represents the parsed signed TRC.

func DecodeSignedTRC 

func DecodeSignedTRC(raw []byte) (SignedTRC, error)

DecodeSignedTRC parses the signed TRC.

func (*SignedTRC) Encode 

func (s *SignedTRC) Encode() ([]byte, error)

Encode encodes the signed TRC as CMS signed message in ASN.1 DER format.

func (*SignedTRC) IsZero 

func (s *SignedTRC) IsZero() bool

IsZero reports whether this TRC is empty.

func (*SignedTRC) Verify 

func (s *SignedTRC) Verify(predecessor *TRC) error

Verify verifies the signatures on a signed TRC. In case of a base TRC, the predecessor must be nil. In case of a non-base TRC, the predecessor must not be nil.

Verifying base TRC: When verifying the base TRC, it is checked that the TRC payload is valid, and that all voting certificates have signed the TRC.

Verifying non-base TRC: When verifying a non-base TRC, it is checked that the TRC payload is valid. Based on the predecessor TRC, the update is classified as regular update, or sensitive update. There are different sets of rules that need to be checked based on the update type.

type SignedTRCs 

type SignedTRCs []SignedTRC

SignedTRCs represents a list of parsed signed TRC.

func (SignedTRCs) Len 

func (t SignedTRCs) Len() int

Len returns the number of SignedTRCs.

func (SignedTRCs) Less 

func (t SignedTRCs) Less(i, j int) bool

Less returns if SignedTRC[i] is less than SignedTRC[j] based on isd > base > serial

func (SignedTRCs) Swap 

func (t SignedTRCs) Swap(i, j int)

Swap swaps the two elements of SignedTRCs

type TRC 

type TRC struct {
	// Raw contains the complete ASN.1 DER content.
	Raw []byte
	// Version is the one-indexed format version. This means, that the
	// serialized version 0 is represented as 1. This emulates behavior of the
	// go standard library for the x509 certificate version:
	// https://golang.org/pkg/crypto/x509/#Certificate
	Version           int
	ID                TRCID
	Validity          Validity
	GracePeriod       time.Duration
	NoTrustReset      bool
	Votes             []int
	Quorum            int
	CoreASes          []addr.AS
	AuthoritativeASes []addr.AS
	Description       string
	Certificates      []*x509.Certificate
}

TRC is the TRC payload.

func DecodeTRC 

func DecodeTRC(raw []byte) (TRC, error)

DecodeTRC parses the payload form ASN.1 DER format. The payload keeps a reference to the input data.

func (*TRC) Encode 

func (pld *TRC) Encode() ([]byte, error)

Encode encodes the payload in ASN.1 DER format.

func (*TRC) GracePeriodEnd 

func (trc *TRC) GracePeriodEnd() time.Time

GracePeriodEnd indicates the end of the grace period implied by this TRC. In case of a base TRC, the zero value is returned.

func (*TRC) InGracePeriod 

func (trc *TRC) InGracePeriod(now time.Time) bool

InGracePeriod indicates if the provided time is in the grace period of this TRC.

func (*TRC) IsZero 

func (trc *TRC) IsZero() bool

IsZero reports whether this TRC represents the zero value.

func (*TRC) RootCerts 

func (trc *TRC) RootCerts() ([]*x509.Certificate, error)

RootCerts returns all CP root certificates in this TRC.

func (*TRC) RootPool 

func (trc *TRC) RootPool() (*x509.CertPool, error)

RootPool extracts all CP root certificates in this TRC as a CertPool.

func (*TRC) Validate 

func (trc *TRC) Validate() error

Validate validates the payload. This does not include validation of TRC update restrictions.

func (*TRC) ValidateUpdate 

func (trc *TRC) ValidateUpdate(predecessor *TRC) (Update, error)

ValidateUpdate validates if this TRC is a valid successor TRC to the provided predecessor.

type TRCID 

type TRCID struct {
	ISD    addr.ISD
	Serial scrypto.Version
	Base   scrypto.Version
}

TRCID identifies a TRC.

func TRCIDFromString 

func TRCIDFromString(idStr string) (TRCID, error)

TRCIDFromString creates new TRCID from the provided string. TRCID string must be in format `ISD%d-B%d-S%d`.

func (TRCID) IsBase 

func (id TRCID) IsBase() bool

IsBase indicates if this is a base TRC.

func (TRCID) String 

func (id TRCID) String() string

func (TRCID) Validate 

func (id TRCID) Validate() error

Validate validates the TRC ID.

type Update 

type Update struct {
	Type UpdateType
	// NewVoters lists the sensitive and regular voting certificates that were
	// not part of the previous TRC. Either, due to changing an existing
	// voter, or, due to adding a new voter to the set.
	NewVoters []*x509.Certificate
	// Votes lists the sensitive or regular voting certificates that cast a vote
	// in the update.
	Votes []*x509.Certificate
	// RootAcknowledgments lists all the root certificates that need to
	// acknowledge a regular TRC update that changes their root certificate.
	RootAcknowledgments []*x509.Certificate
}

Update holds metadata about a TRC update.

type UpdateType 

type UpdateType int

UpdateType indicates the type of update. 

const (
	SensitiveUpdate UpdateType
	RegularUpdate
)

Update types.

func (UpdateType) String 

func (u UpdateType) String() string

type Validity 

type Validity struct {
	NotBefore time.Time
	NotAfter  time.Time
}

Validity indicates the TRC validity.

func (Validity) Contains 

func (v Validity) Contains(t time.Time) bool

Contains indicates whether the provided time is inside the validity period.

func (Validity) Covers 

func (v Validity) Covers(other Validity) bool

Covers indicates whether the other validity is covered by this validity.

func (Validity) Validate 

func (v Validity) Validate() error

Validate checks that NotAfter is after NotBefore.

type VerifyOptions 

type VerifyOptions struct {
	TRC         []*TRC
	CurrentTime time.Time // if zero, the current time is used
}

VerifyOptions contains parameters for certificate chain verification.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.